Secure Document Destruction: Rethinking Paper and Privacy

Are you aware that paper documents can be a catalyst for data breaches? While the term “data breach” is often linked to mishandling electronic records, the significance of paper privacy and secure document destruction is often overlooked. However, paper documents continue to play a vital role in the business environment, and disposing of them improperly can lead to expensive breaches.

In this blog, we will explore prevalent misconceptions surrounding the concept of a paperless office—and the important data privacy laws to keep in mind to maintain security.

The Myth of the “Paperless” Office

Despite the push for organizations to become “paperless,” a surprising number of employees still rely on paper for their core business functions. 44.23% of employees use paper in their position daily, with only 2% stating they never use paper.

In legal, accounting, and HR environments, paper is a common denominator in administrative and record-keeping processes. While today’s financial firms have automated transaction processes, they often trust hard copies over digital files when making significant investments and agreements. Additionally, 90% of healthcare providers utilize paper and manual methods in their patient collections.

Not only do physical files contain personally identifiable information (PII), but organizations are exposed to the risk of a breach if documents are not correctly stored or securely shredded. According to a recent report, paper and film-based records, rather than electronic records, are at the root of 65% of hospital data breaches.

Privacy of Consumer Information

With the rise of identity theft in the Information Age, various statutory requirements and laws have been formed to ensure the confidentiality of personal information. These regulations govern how long paper records must be stored and how to dispose of them securely.

Noncompliance with destruction regulations can result in severe consequences, including hefty fines and damages. So how can you ensure that you’re up to date with the latest privacy and destruction laws? Here’s our privacy protection guide to get you started.

Guide to Data Privacy Laws

General Data Protection Rule (GDPR)

On May 25, 2018, the EU’s data privacy regulation, GDPR, came into force. GDPR applies to organizations operating within the EU as well as businesses outside of the EU that provide products or services to consumers or companies inside the EU.

Under the terms of GDPR, organizations must ensure personal data is gathered legally, protect against the misuse of it, and respect the rights of data owners. One of the key takeaways from the GDPR rules is that companies must take a far more proactive approach to prevent data breaches by securely storing and deleting information. Paper copies containing data that are kept and not securely destroyed can become a significant GDPR compliance issue.

Noncompliance with GDPR may result in fines of 20 million Euros ($22.6 million U.S. dollars) or 4% of an organization’s annual income.

FACTA  Disposal Rule (Fair and Accurate Credit Transactions Act)

The Fair and Accurate Credit Transactions Act (FACTA) is federal legislation aimed at preventing and penalizing consumer fraud and identity theft. Administered by the Federal Trade Commission (FTC), the FACTA Disposal Rule has been in effect since June 1, 2005.

The Disposal Rule outlines reasonable measures for disposing of consumer report information to prevent unauthorized access and misuse of it. Disposal actions may include instituting policies to “burn, pulverize, or shred papers containing consumer report information” or “conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information.”

Failure to comply with the Disposal Rule can result in severe penalties ranging from $1,000 to $2,500 for each violation.

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act was established in 1999 and requires financial institutions to disclose how they share and protect their customers’ information. GLBA identifies protected information as “nonpublic personal information” (NPI). Examples of NPI include drivers licenses, Social Security numbers, insurance information, and loan statements.

Although the GLBA provides flexibility for institutions to scale security solutions that align with their business size and complexity of operations, compliance should not be dismissed. Institutions can be subject to a civil penalty of $100,000 per violation. Additionally, company officers and directors can be fined and receive up to five years of imprisonment.

Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley (SOX) Act requires publicly held companies to establish internal controls and procedures for financial reporting to reduce the possibility of corporate fraud. SOX was formed in response to early-2000s’ high-profile corporate financial scandals, and imposed more stringent recordkeeping requirements.

Under SOX, records are considered any materials that consist of information about the organization’s plans, policies, results, or performance. To comply with SOX, organizations must save all business records, including both paper and electronic documents, for no less than five years. Depending on the nature of the files, the timeframe to maintain and retain them may be longer.

When it comes to the end of a document’s retention period, it’s extremely important for companies covered under the SOX Act to safely destroy their data to ensure information cannot be accessed or reconstructed. The secure document destruction of records is considered best practice. Consequences for SOX noncompliance may include fines, imprisonment, or (in some cases) both.

Health Insurance Portability and Accountability Act (HIPAA) of 1996

The HIPAA Privacy Rule institutes national standards to safeguard individuals’ medical records and other personal health information (PHI). It covers all forms of PHI, including film, electronic information, and paper records.

Under HIPAA, covered entities must implement safeguards to avoid the misuse or disclosure of PHI, including the disposal of it. Thus, “covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons.”

HIPAA fines are costly. They range from $100 to $50,000 per record or violation, with a maximum fine of $1.5 million per year for each violation.

The Family Educational Rights and Privacy Act (FERPA)

FERPA protects the privacy of student and parent information. When FERPA was first enacted in 1974, it primarily addressed the improper disposal of files in the physical realm. However, the destruction of digital documents is outlined in new provisions.

FERPA requires the setting of a mandatory destruction date for nearly all confidential information involving a student (excluding some academic data). While courts have routinely held that FERPA does not provide a private right of action against educational institutions, complaints may be filed with the U.S. Department of Education.

FERPA noncompliance may result in the forfeit of federal funding or monetary damages for improper disposal at the state level.

While this guide provides an overview of the most referenced data privacy laws, it’s always recommended to seek legal counsel to ensure compliance with regulations that apply to your specific business and industry.

Secure Document Destruction: Ensuring Privacy for Paper

As companies shift from paper-dependent processes to digitization, it’s essential to not overlook the security of paper documents. It’s highly recommended that business owners stay updated with privacy regulations and best practices for secure document shredding, whether of physical or electronic files.

Secure document destruction of records that have reached the end of their retention period minimizes the chances of critical business information falling into the wrong hands. By contracting with paper shredding companies, like VRC, that adhere to best practices for securely destroying your data, your business can avoid hefty fines and preserve confidential information. Get started with a complimentary consultation for your next shred project.